Change log of AWS IAM permissions

2026-04-08

24 new actions, 2 new resources, 5 new conditions

Additions

Actions

ClientMount
- Description: Grants permission to allow an NFS client read-access to a file system
- Access: Read
- Resources:
  Name: file-system
  
  Required: Yes
- Conditions:
  s3files:AccessPointArn
ClientRootAccess
- Description: Grants permission to allow an NFS client root-access to a file system
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
- Conditions:
  s3files:AccessPointArn
ClientWrite
- Description: Grants permission to allow an NFS client write-access to a file system
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
- Conditions:
  s3files:AccessPointArn
CreateAccessPoint
- Description: Grants permission to create an access point for the specified file system
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
CreateFileSystem
- Description: Grants permission to create a new file system
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateMountTarget
- Description: Grants permission to create a mount target for a file system
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
DeleteAccessPoint
- Description: Grants permission to delete a specified access point
- Access: Write
- Resources:
  Name: access-point
  
  Required: Yes
DeleteFileSystem
- Description: Grants permission to delete a specified file system
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
DeleteFileSystemPolicy
- Description: Grants permission to delete the IAM resource policy for a specified file system
- Access: Permissions management
- Resources:
  Name: file-system
  
  Required: Yes
DeleteMountTarget
- Description: Grants permission to delete a specified mount target
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
GetAccessPoint
- Description: Grants permission to get resource information for a specified access point
- Access: Read
- Resources:
  Name: access-point
  
  Required: Yes
GetFileSystem
- Description: Grants permission to get resource information for a specified file system
- Access: Read
- Resources:
  Name: file-system
  
  Required: No
GetFileSystemPolicy
- Description: Grants permission to get the IAM resource policy for a specified file system
- Access: Read
- Resources:
  Name: file-system
  
  Required: No
GetMountTarget
- Description: Grants permission to get resource information for a specified mount target
- Access: Read
- Resources:
  Name: file-system
  
  Required: Yes
GetSynchronizationConfiguration
- Description: Grants permission to get a synchronization configuration for a specified file system
- Access: Read
- Resources:
  Name: file-system
  
  Required: Yes
ListAccessPoints
- Description: Grants permission to get a paginated list of all access points in the account
- Access: List
- Resources:
  Name: access-point
  
  Required: Yes
ListFileSystems
- Description: Grants permission to get a paginated list of all file systems in the account
- Access: List
- Resources:
  Name: file-system
  
  Required: No
ListMountTargets
- Description: Grants permission to get a paginated list of all mount targets in the account
- Access: List
- Resources:
  Name: file-system
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list tags for a specified S3 Files resource
- Access: Read
- Resources:
  Name: access-point
  
  Required: No
  
  Name: file-system
  
  Required: No
PutFileSystemPolicy
- Description: Grants permission to add an IAM resource policy to a specified file system
- Access: Permissions management
- Resources:
  Name: file-system
  
  Required: Yes
PutSynchronizationConfiguration
- Description: Grants permission to add a synchronization configuration to a specified file system
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes
TagResource
- Description: Grants permission to tag a specified S3 Files resource
- Access: Tagging
- Resources:
  Name: access-point
  
  Required: No
  
  Name: file-system
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  s3files:CreateAction
UntagResource
- Description: Grants permission to untag a specified S3 Files resource
- Access: Tagging
- Resources:
  Name: access-point
  
  Required: No
  
  Name: file-system
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateMountTarget
- Description: Grants permission to update resource information for a specified mount target
- Access: Write
- Resources:
  Name: file-system
  
  Required: Yes

Resources

file-system
- Arn: arn:${Partition}:s3files:${Region}:${Account}:file-system/${FileSystemId}
- Conditions:
  aws:ResourceTag/${TagKey}
access-point
- Arn: arn:${Partition}:s3files:${Region}:${Account}:file-system/${FileSystemId}/access-point/${AccessPointId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString
s3files:AccessPointArn
- Description: Filters access by the ARN of the access point used to mount the file system
- Type: ARN
s3files:CreateAction
- Description: Filters access by the name of a resource-creating API action
- Type: String

Amazon S3 Files (s3files)

Additions